Official server for ~100 users,3xWAN (500Mbps each),OpenVPN,Snort,Squid,CARP?

CDuv · Sep 20, 2016, 10:13 AM

I am looking to buy a reliable hardware server for pfSense but fail to determine which requirements/model I need.

Here are my use:

About 100 users
Multi-WAN (load-balancing) scenario with 3 connection of 500Mbps each
Router redundancy: I would need extra Ethernet port and 2 servers
OpenVPN server: roaming and point-to-point
Snort or Suricata IDS
Captive Portal
Squid (possibly, not sure yet)

According to https://www.pfsense.org/hardware/, I should aim to

Multiple cores at > 2.0GHz are required (because of 3x500Mbps WAN bandwidth)
More CPU (because of VPN and Captive Portal)

I am not yet sure if Squid would be activated or not, but I guess I would need some storage (SSD).

It looks like I should aim for at least SG-4860 (because of 2.4 Ghz quad core CPU and 8GB or RAM) and buy a mSATA SSD later.

Do you agree with that? Would the SG-2440 suffice?

whosmatt · Sep 21, 2016, 2:26 AM

I don't think the 2440 will suffice at all, and I think the 4860 might be marginal since you have a lot of WAN bandwidth and want to run VPN and IDS. But i'll defer to those who have more experience with those kind of WAN speeds; I unfortunately do not. I'm making my judgement solely on the CPUs of the devices, btw. RAM and the available # of network interfaces in the 4860 should be just fine. Just not sure a quad core CPU is where you want to be trying to run VPN and IDS on potentially 1.5Gbps of WAN traffic.

CDuv · Sep 21, 2016, 8:09 AM

Thanks for this feedback.

@whosmatt:

Just not sure a quad core CPU is where you want to be trying to run VPN and IDS on potentially 1.5Gbps of WAN traffic.

I must say I doubt the traffic would get up to 1.5Gbps, especially since the LAN port is a 1Gbps.

For the OpenVPN part: it would not be more than 20 users top.

whosmatt · Sep 21, 2016, 9:45 PM

@CDuv:

I must say I doubt the traffic would get up to 1.5Gbps, especially since the LAN port is a 1Gbps.

There's always link aggregation.

Sep 22, 2016, 10:43 AM

About 100 users

It might be more interesting to know how much traffic they are producing!

Multi-WAN (load-balancing) scenario with 3 connection of 500Mbps each

Might be more tended to the rest of the clients and services that are offered!
Load balancing can be done in three different ways such;

policy based routing (many clients in/out sending)
service based routing (different services by different ISPs in usage)
session based routing (server session based and more for many devices in the DMZ)

Router redundancy: I would need extra Ethernet port and 2 servers

Ideally two identically units such 2 x 4860 or 2 x 8860 and using CARP then

OpenVPN server: roaming and point-to-point

Also an Xeon E3-12xxv3 system or an Intel Xeon D-15xx platform will be good then

Snort or Suricata IDS
Captive Portal
Squid (possibly, not sure yet)

50% - 50% I will say it is not really even clear to me what services are running, what protocols are in
usage and how many and what exactly of traffic will be generated, in some times it will be wise to buy
and go with a SG-4860/SG-8860 unit from the pfSense store and/or a self made Xeon E3 unit that will
be for sure hard and strong enough plus you may be able to add some RAM later on top if really needed!!

So it would be more or less a question what is really going on in that network.
I would assume that also the SuperServer 5018D-FN8T or the SuperServer E300-8D
would be ideally together with two D-Link DGS1510-24 layer3 switches!

enough power
enough ports
enough space
enough RAM capacities

Intel Xeon D-1518 4 Cores / 8 Threads
up to 128 GB DDR4 2133 RAM
M.2 socket, mSATA or SATA-DOM
2 x SFP+ & 10 x GB LAN Ports Intel based

Cool solution in my eyes.